Hi Beeblebrox,
I took a look at your configuration on google docs and I must say it is
a rather complex strategy you have chosen. I wont try to fix your
configuration but instead give some general advice based on my own
experience.
-> Instead of relying heavily on nat and redirect rules try to use
routing between your addresses. This would work just by allowing routing
in the kernel. Examine routing tables using netstat -rn.
-> Use the tool pftop accessible from the ports collection and examine
the state table. This usually give an indication of where to look for
the missing responses. It will also show you which IP is being used as
gateway while doing NAT.
-> Verify your rules looks as expected with 'pfctl -s rules' and 'pfctl
-s nat'.
-> Be sure you understand how filtering work. I would recommend to read
the online tutorials by Peter N. M. Hansteen at
http://home.nuug.no/~peter/pf/en/
-> If you really want to dig deep buy the "Book of PF". I read it myself
and it helped a lot to understand the possibilities but also the
constraints of pf. The book does not specifically treat the subject of
jails though.
God luck with the rules (and merry Christmas)
Carsten Larsen
---
Beeblebrox wrote:
Hi Carsten,
Thanks very much for your ideas & input. I have it working mostly as you
advised. Nat rules:
nat on $ExtIf proto {tcp,udp} from $jdns to $JaIf port 443 tag NAT_DNS ->
$ExtIf # I use dnscrypt-proxy
nat on $ExtIf proto {tcp,udp} from $jprvx to $JaIf port {80,443} tag
NAT_PRVX -> $ExtIf
nat on $ExtIf from any to !($ExtIf) -> $ExtIf
I don't have to use different ports, it works as is. Tagging does help
distinguish between "same port, different jail" (for port 443 as example).
That said, I seem to have run into a strange filter rule problem. I aim to
block all ports that each jail is not using. Partial filter rules:
block drop log (all) on $ExtIf
block drop log (all) on $JaIf
##_PRIVOXY
pass in quick on $JaIf proto tcp from any to $jprvx port 8118
pass out quick on {$JaIf,$ExtIf} inet tagged NAT_PRVX $TcpState $OpenSTO
The strangeness: When I comment out the block code (rules lines 1 & 2
above), the privoxy jail stops working. tcpdump shows:
1387731935.321882 rule 13..16777216/0(match): block out on lo2:
192.168.2.99.55548 > 192.168.2.99.8118: Flags [S], seq 1465289666, win
65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length
0
1387731935.321927 rule 13..16777216/0(match): block out on lo2:
192.168.2.99.55549 > 192.168.2.99.8118: Flags [S], seq 650179452, win 65535,
options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0
1387731935.322052 rule 13..16777216/0(match): block out on lo2:
192.168.2.99.55550 > 192.168.2.99.8118: Flags [S], seq 1328782560, win
65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length
0
1387731935.322084 rule 13..16777216/0(match): block out on lo2:
192.168.2.99.55551 > 192.168.2.99.8118: Flags [S], seq 3999782183, win
65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length
0
Is the problem with the port that privoxy is using, or do I need to allow
some other pass rule for each jail (like jail's lo0 must be able to pass to
<jail-ip>:8118)?
Also add scrub to ensure no packet fragmentation. This is needed for pf
to work.
I have a bunch of code I have ommited so as to keep the messages short.
Thanks and Regards.
-----
FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS
--
View this message in context:
http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870782.html
Sent from the freebsd-pf mailing list archive at Nabble.com.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
